A law enforcement operation led by Europol and assisted by Symantec, Microsoft, and a number of other industry partners, has today seized servers and other infrastructure owned by the cybercrime group behind the Ramnit botnet (detected by Symantec as W32.Ramnit.B). The group has been in operation for at least five years and in that time has evolved into a major criminal enterprise, infecting more than 3.2 million computers in total and defrauding large numbers of innocent victims. It is hoped that today’s operation will strike a significant blow against the resources and capabilities of the gang.
Ramnit provides attackers with multiple ways to defraud a victim once their computer is compromised. It is capable of monitoring their web browsing sessions and stealing banking credentials. It can steal website cookies allowing attackers to impersonate the victim, take files from the victim’s hard disk, and grant the attackers remote access to the computer, allowing them to exfiltrate stolen information or download additional malware.
An evolving threat
Ramnit (W32.Ramnit) began life as worm, first appearing in 2010 and spreading quickly due to aggressive self-propagation tactics. Once it compromised a computer it sought out all EXE, DLL, HTM, and HTML files on the local hard disk and any removable drives and attempted to infect them with copies of itself.
Over time the malware has evolved as its controllers appeared to shift their focus from building the botnet to exploiting it. The most recent version of Ramnit (W32.Ramnit.B) has abandoned the file infection routine in favor of a range of alternative infection methods. Its cybercrime capabilities were beefed up considerably with a number of different modules that are borrowed from the Zeus Trojan (Trojan.Zbot), whose source code was leaked in May 2011. This development transformed the Ramnit botnet into a vast cybercrime empire, spanning up to 350,000 compromised computers at present, harvesting banking credentials, passwords, cookies, and personal files from victims.
Ramnit is now a fully-featured cybercrime tool, featuring six standard modules that provide attackers with multiple ways to compromise a victim.
- Spy module: One of the most powerful Ramnit features, it monitors the victim’s web browsing and detects when they visit certain web pages, such as online banking sites. It can inject itself into the victim’s browser and manipulate the bank’s website, making it appear the bank is asking the victim for additional credentials, such as credit card details. This stolen data can then be used to facilitate fraud.
- Cookie grabber: This feature will steal session cookies from web browsers and send them back to the attackers, who can then use the cookies to authenticate themselves on websites and impersonate the victim. This could allow the attacker to hijack online banking sessions.
- Drive scanner: This scans the computer’s hard drive and steals files from it. It is configured to search specific folders that are deemed likely to contain sensitive information such as passwords.
- Anonymous FTP server: By connecting to this server, the malware lets attackers remotely access the compromised computer and browse the file system. They can use the server to upload, download, or delete files and execute commands.
- Virtual network computing (VNC) module: This provides the attackers with another means to gain remote access to the computer.
- FTP grabber: This feature allows the attackers to gather login credentials for a large number of FTP clients.
A persistent threat
Ramnit’s authors have incorporated a number of features that make it difficult to banish from a compromised computer. During installation, it will place a copy of itself into the computer’s memory as well as writing itself to the hard disk. The memory-based copy actively monitors the hard disk and, if it detects that the hard disk-based copy has been removed or quarantined, it will drop another copy back on to the hard disk to keep the infection alive.
How Ramnit spreads
While early versions of Ramnit relied on file infection routines to spread, the attackers today exhibit a high degree of resourcefulness, using a number of different tactics to compromise victims. One of its main recent methods has been exploit kits hosted on compromised websites and social media pages. In addition to this, public FTP servers have also been found to be distributing the malware. Another possible route of compromise has been through potentially unwanted applications, which are inadvertently installed as part of software bundles from less reputable sources.
Locations of victims
Ramnit has affected victims across the world and infections have been found in most countries. The worst affected countries in recent times have been India, Indonesia, Vietnam, Bangladesh, the US, and the Philippines.
Figure. Ramnit infections by region
While the amount of infected computers has decreased over time, the Ramnit botnet is still very active. For example, Symantec blocked a daily average of around 6,700 new infections in November 2014. This was down from a daily average of 8,000 in May 2014.
Indicators of compromise for security administrators and more detailed and technical information can be found in our technical paper: W32.Ramnit analysis
Symantec has released a tool that will check for a Ramnit infection and allow you to remove it from a compromised computer. Visit this page to download the tool.
Symantec and Norton products have the following detections in place for Ramnit:
Intrusion prevention system